From owner-freebsd-ports-bugs@FreeBSD.ORG  Sun Aug 25 13:30:01 2013
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id E6CDBEDC
 for <freebsd-ports-bugs@smarthost.ysv.freebsd.org>;
 Sun, 25 Aug 2013 13:30:00 +0000 (UTC)
 (envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id C528B2DA8
 for <freebsd-ports-bugs@smarthost.ysv.freebsd.org>;
 Sun, 25 Aug 2013 13:30:00 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r7PDU0sE091056
 for <freebsd-ports-bugs@freefall.freebsd.org>; Sun, 25 Aug 2013 13:30:00 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r7PDU052091044;
 Sun, 25 Aug 2013 13:30:00 GMT (envelope-from gnats)
Resent-Date: Sun, 25 Aug 2013 13:30:00 GMT
Resent-Message-Id: <201308251330.r7PDU052091044@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
 Gerhard Brauer <gb+ML-2011@derbrauer.homelinux.net>
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id E8156DF0
 for <freebsd-gnats-submit@FreeBSD.org>; Sun, 25 Aug 2013 13:28:07 +0000 (UTC)
 (envelope-from nobody@FreeBSD.org)
Received: from oldred.freebsd.org (oldred.freebsd.org [8.8.178.121])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id D604F2D9B
 for <freebsd-gnats-submit@FreeBSD.org>; Sun, 25 Aug 2013 13:28:07 +0000 (UTC)
Received: from oldred.freebsd.org ([127.0.1.6])
 by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id r7PDS7QK019500
 for <freebsd-gnats-submit@FreeBSD.org>; Sun, 25 Aug 2013 13:28:07 GMT
 (envelope-from nobody@oldred.freebsd.org)
Received: (from nobody@localhost)
 by oldred.freebsd.org (8.14.5/8.14.5/Submit) id r7PDS7JK019499;
 Sun, 25 Aug 2013 13:28:07 GMT (envelope-from nobody)
Message-Id: <201308251328.r7PDS7JK019499@oldred.freebsd.org>
Date: Sun, 25 Aug 2013 13:28:07 GMT
From: Gerhard Brauer <gb+ML-2011@derbrauer.homelinux.net>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Subject: ports/181525: ports/i3lock don't check the password
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Aug 2013 13:30:01 -0000


>Number:         181525
>Category:       ports
>Synopsis:       ports/i3lock don't check the password
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Aug 25 13:30:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Gerhard Brauer
>Release:        9.1-RELEASE
>Organization:
>Environment:
FreeBSD ws01 9.1-RELEASE-p6 FreeBSD 9.1-RELEASE-p6 #0: Wed Aug 21 20:40:52 UTC 2013     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
i3lock 2.5

i3lock screenlocker could be unlocked after installation with any phrase. One "anykey" is enough to unlock.

After discussion on german freebsd mailing list we found the reason(s):
i3lock uses PAM to get authorization. It uses "auth include login" PAM modul, which itself uses pam_self. pam_self leads to the behavior that any phrase could do the unlock cause pam_self give login permission if the calling process comes from the same UID - regardless of the submitted passphrase. With pam_self als "sufficent modul" a user could authenticate itself without his/her password.

Using PAM modul "auth include system" disable this - more or less lightly - security hole, but the user could never authenticate itself, also with the correct password. This reason is that only root have access to verify the crypted passwords.
So i3lock binary needs also setuid bit flagged. Other screen locker/saver have this also set, from the same reasons.

With current default settings i3lock under FreeBSD is useless and maybe a security problem if the user don't pay attention on above.
>How-To-Repeat:
Build and install i3lock, use it as a user:
a)
%i3lock

(Any phrase could do the unlock)

>Fix:
/usr/local/etc/pam.d/i3lock:
- auth include login
+ auth include system

chmod 4111 /usr/local/bin/i3lock
(slock port do for example the same during with install script)


>Release-Note:
>Audit-Trail:
>Unformatted: